[rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Michael Maymann michael at maymann.org
Thu Feb 2 14:17:14 CET 2012


Hi,

got it started... but still ??? dir+logfiles are showing up...
This is now my rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"

$template
DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost == '???' then ?DYNIPtraps

I have tried with $fromhost, $fromhost-ip and $hostname - but all creates
??? dir+files...
What variable should I use to handle this properly ?


Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <michael at maymann.org>

> Hi,
>
> David: thanks for your reply...
> Here is my new rsyslog.conf:
> #SET PRIVILEGES
> $PreserveFQDN on
> $PrivDropToGroup <GROUP>
> $PrivDropToUser <USER>
> $DirCreateMode 0750
> $FileCreateMode 0640
> $UMASK 0027
>
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
>
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>
> $template
> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
> $template
> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
> $template
> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
> ?DYNsecure
> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog
> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler
> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and %FROMHOST% != '???' then ?DYNtraps
>
> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
> ?DYNIPsecure
> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
> ?DYNIPmaillog
> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
> ?DYNIPspooler
> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then ?DYNIPboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and %FROMHOST% == '???' then ?DYNIPtraps
>
> but it fails...:
> # service rsyslog start
> Starting system logger: rsyslogd: run failed with error -2207 (see
> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
> means)
>                                                            [  OK  ]
>
> my guess is it is my %FROMHOST% == '???' - is this format correct or how
> is this done...
>
>
> Thanks in advance :-) !
> ~maymann
>
>
> 2012/2/1 <david at lang.hm>
>
> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>
>>  Hi,
>>>
>>> I want to log information about hosts that are not logging with correct
>>> HOSTNAME.
>>> In my current setup, I get a dir "???" where these host(s) are logging
>>> to...
>>>
>>> I would like to change this to the hosts IP instead, something like:
>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>
>>
>> rsyslog cannot do what you are asking. It can't assign a value to a
>> property.
>>
>> what you can do is to setup a different template and then if %fromhost%
>> is your special pattern you can log with this different template.
>>
>> David Lang
>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>
>



More information about the rsyslog mailing list